USN-1134-1: APR vulnerabilities

Packages

apache2 - a scalable, extensible web server
apr - The Apache Portable Runtime Library

Details

Maksymilian Arciemowicz reported that a flaw in the fnmatch()
implementation in the Apache Portable Runtime (APR) library could allow
an attacker to cause a denial of service. This can be demonstrated
in a remote denial of service attack against mod_autoindex in the
Apache web server. (CVE-2011-0419)

Is was discovered that the fix for CVE-2011-0419 introduced a different
flaw in the fnmatch() implementation that could also result in a
denial of service. (CVE-2011-1928)

Maksymilian Arciemowicz reported that a flaw in the fnmatch()
implementation in the Apache Portable Runtime (APR) library could allow
an attacker to cause a denial of service. This can be demonstrated
in a remote denial of service attack against mod_autoindex in the
Apache web server. (CVE-2011-0419)

Is was discovered that the fix for CVE-2011-0419 introduced a different
flaw in the fnmatch() implementation that could also result in a
denial of service. (CVE-2011-1928)

Update instructions

After a standard system update you need to restart the Apache web server or any other service that depends on the APR library to make all the necessary changes.

Learn more about how to get the fixes.

Ubuntu Release	Package Version
8.04 hardy	libapr1 – 1.2.11-1ubuntu0.2
6.06 dapper	libapr0 – 2.0.55-4ubuntu2.13
11.04 natty	libapr1 – 1.4.2-7ubuntu2.1
10.10 maverick	libapr1 – 1.4.2-3ubuntu1.1
10.04 lucid	libapr1 – 1.3.8-1ubuntu0.3

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

Packages

Details

Update instructions

Reduce your security exposure

References